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Summary 

The  following  report  describes  information  security  and  data  breach  notification  requirements 
included  in  the  Privacy  Act,  the  Federal  Information  Security  Management  Act,  Office  of 
Management  and  Budget  Guidance,  the  Veterans  Affairs  Information  Security  Act,  the  Health 
Insurance  Portability  and  Accountability  Act,  the  Gramm-Leach-BIiley  Act,  the  Federal  Trade 
Commission  Act,  and  the  Fair  Credit  Reporting  Act.  Also  included  in  this  report  is  a  brief 
summary  of  the  Payment  Card  Industry  Data  Security  Standard  (PCI  DSS),  an  industry  regulation 
developed  by  VISA,  MasterCard,  and  other  bank  card  distributors. 

Information  security  laws  are  designed  to  protect  personally  identifiable  information  from 
compromise,  unauthorized  disclosure,  unauthorized  acquisition,  unauthorized  access,  or  other 
situations  where  unauthorized  persons  have  access  or  potential  access  to  personally  identifiable 
information  for  unauthorized  purposes.  Data  breach  notification  laws  typically  require  covered 
entities  to  implement  a  breach  notification  policy,  and  include  requirements  for  incident  reporting 
and  handling  and  external  breach  notification. 

During  the  110*  Congress,  three  data  security  bills — S.  239  (Feinstein),  S.  495  (Leahy),  and  S. 
1178  (Inouye) — were  reported  favorably  out  of  Senate  committees.  Those  bills  include 
information  security  and  data  breach  notification  requirements.  Several  other  data  security  bills 
were  also  introduced.  The  109*  and  110*  Congresses  did  not  pass  data  security  legislation.  In  the 
111*  Congress,  expectations  are  that  efforts  to  move  data  security  legislation  will  continue  this 
year. 

As  part  of  H.R.  1 ,  the  American  Recovery  and  Reinvestment  Act  of  2009,  the  111th 
Congress  is  considering  legislation  to  promote  the  widespread  adoption  of  health 
information  technology  (HIT).  H.R.  1  includes  provisions  dealing  with  the  security  of 
health  information,  and  requires  covered  entities  to  notify  affected  persons  in  cases  of 
breach  of  protected  health  information. 

For  related  reports,  see  the  Current  Legislative  Issues  Web  page  for  “Privacy  and  Data  Security” 
available  at  http://www.crs.gov.  This  report  will  be  updated. 
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Background 

Because  of  questions  about  the  security  of  sensitive  personal  information,  this  report  provides  an 
overview  of  federal  information  security  and  data  breach  notification  laws  that  are  applicable  to 
certain  entities  that  collect,  maintain,  own,  possess,  or  license  sensitive  personal  information.' 

Information  security  laws  are  designed  to  protect  personally  identifiable  information  or  sensitive 
personal  information  from  compromise,  and  from  unauthorized  disclosure,  acquisition,  access,  or 
other  situations  where  unauthorized  persons  have  access  or  potential  access  to  personally 
identifiable  information  for  unauthorized  purposes.  Data  breach  notification  laws  typically 
require  covered  entities  to  implement  a  breach  notification  policy,  and  include  requirements  for 
incident  reporting  and  handling  and  external  breach  notification.  A  data  breach  occurs  when  there 
is  a  loss  or  theft  of,  or  other  unauthorized  access  to,  data  containing  sensitive  personal 
information  that  results  in  the  potential  compromise  of  the  confidentiality  or  integrity  of  data. 

Data  breach  notification  laws  typically  cover  “personally  identifiable  information”  or 
“individually  identifiable  information.” 

No  single  federal  law  or  regulation  governs  the  security  of  all  types  of  sensitive  personal 
information.  Determining  which  federal  law,  regulation,  and  guidance  is  applicable  depends  in 
part  on  the  entity  or  sector  that  collected  the  information,  and  the  type  of  information  collected 
and  regulated.  Under  federal  law  certain  sectors  are  legally  obligated  to  protect  certain  types  of 
sensitive  personal  information.  These  obligations  were  created,  in  large  part,  when  federal  privacy 
legislation  was  enacted  in  the  credit,  financial  services,  health  care,  government,  securities,  and 
Internet  sectors.  Federal  regulations  were  issued  to  require  certain  entities  to  implement 
information  security  programs  and  provide  breach  notice  to  affected  persons.^ 

For  example,  there  are  federal  information  security  requirements  applicable  to  all  federal 
government  agencies  (FISMA)  and  a  federal  information  security  law  applicable  to  a  sole  federal 
department  (Veterans  Affairs).  In  the  private  sector,  different  laws  apply  to  private  sector  entities 
engaged  in  different  businesses.  This  is  what  is  commonly  referred  to  as  a  sectoral  approach  to 
the  protection  of  personal  information. 

Some  critics  say  that  current  laws  focus  too  closely  on  industry-specific  uses  of  information,  like 
credit  reports  or  medical  data,  rather  than  on  protecting  the  privacy  of  individuals.^  Others  believe 
the  sectoral  approach  to  the  protection  of  personal  information  reflects  not  only  variations  in  the 
types  of  information  collected  (e.g.,  government,  private  sector,  health,  financial,  etc.),  but  also 


*  For  a  discussion  of  Section  222  of  the  Communications  Act  of  1934,  as  amended  (47  U.S.C.  222),  which  establishes  a 
duty  for  telecommunications  carrier  to  protect  the  confidentiality  of  customers’  customer  proprietary  network 
information  (CPNI),  see  CRS  Report  RL34409,  Selected  Laws  Governing  the  Disclosure  of  Customer  Phone  Records 
by  Telecommunications  Carriers,  by  Kathleen  Ann  Ruane.  For  a  discussion  of  Sections  302  and  404  of  the  Sarbanes- 
Oxley  Act  of  2002,  P.L.  107-204,  which  require  public  companies  to  ensure  that  they  have  implemented  appropriate 
information  security  controls  with  respect  to  their  financial  information,  see  CRS  Report  RS22482,  Section  404  of  the 
Sarbanes-Oxley  Act  of 2002  (Management  Assessment  of  Internal  Controls):  Current  Regulation  and  Congressional 
Concerns,  by  Michael  V.  Seitzinger. 

^  Thomas  J.  Smedinghoff,  “The  New  Law  of  Information  Security:  What  Companies  Need  To  Do  Now,”  22  The 
Computer  &  Internet  Lawyer  9  (November  2005). 

^  Tom  Zeller,  Jr.,  “Breach  Points  Up  Flaws  in  Privacy  Laws,  ”  N.Y.  Times,  Feb.  24,  2005  at  Al. 
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differences  in  the  regulatory  framework  for  particular  sectors.  Others  advocate  a  national  standard 
for  entities  that  maintain  personal  information  in  order  to  harmonize  legal  ohligations."^ 

In  the  absence  of  a  comprehensive  federal  data  breach  notification  law,  the  majority  of  states  have 
passed  bills  to  require  businesses  and/or  government  agencies  to  notify  persons  affected  by 
breaches  involving  their  sensitive  personal  information,  and  in  some  cases  to  implement 
information  security  programs  to  protect  the  security,  confidentiality,  and  integrity  of  data.^  As  of 
December  16,  2008,  44  states,  the  District  of  Columbia,  Puerto  Rico,  and  the  Virgin  Islands  have 
enacted  legislation  requiring  notification  of  security  breaches  involving  personal  information.® 
Several  states  have  reportedly  considered  legislation  to  hold  retailers  liable  for  third  party 
companies’  costs  arising  from  data  breaches  (California,  Connecticut,  Illinois,  Massachusetts, 
Minnesota,  New  Jersey,  Texas,  and  Wisconsin).^  Many  states  provide  a  safe  harbor  for  an  entity 
that  is  regulated  by  state  or  federal  law  and  maintains  procedures  pursuant  to  such  laws,  rules, 
regulations,  or  guidelines. 

Numerous  data  breaches  and  computer  intrusions  have  been  disclosed  by  the  nation’s  largest  data 
brokers,  retailers,  educational  institutions,  government  agencies,  health  care  entities,  financial 
institutions,  and  Internet  businesses.  The  Privacy  Rights  Clearinghouse  chronicles  and  reports 
that  over  25 1  million  records  containing  sensitive  personal  information*  were  involved  in  security 
breaches  in  the  U.S.  since  January  2005.^  From  February  2005  to  December  2006,  100  million 
personal  records  were  reportedly  lost  or  exposed. In  2006  the  personal  data  of  26.5  million 
veterans  was  breached  when  a  VA  employee’s  hard  drive  was  stolen  from  his  home.  In  2007  the 
retailer  TJX  Companies  revealed  that  46.2  million  credit  and  debit  cards  may  have  been 
compromised  during  the  breach  of  its  computer  network  by  unauthorized  individuals.^'  In  2008 
the  Hannaford  supermarket  chain  revealed  that  approximately  4  million  debit  and  credit  card 
numbers  were  compromised  when  Hannaford’s  computer  systems  were  illegally  accessed  while 
the  cards  were  being  authorized  for  purchase.  There  were  1,800  reported  cases  of  fraud  connected 
to  the  computer  intrusion. 

Data  breaches  involving  sensitive  personal  information  may  result  in  identity  theft  and  financial 
crimes  (e.g.,  credit  card  fraud,  phone  or  utilities  fraud,  bank  fraud,  mortgage  fraud,  employment- 
related  fraud,  government  documents  or  benefits  fraud,  loan  fraud,  and  health-care  fraud). 


*  The  President’s  Identity  Theft  Task  Force,  Combating  Identity  Theft:  A  Strategic  Plan,  April  2007  at 
http://www.identitytheft.gov/reports/StrategicPlan.pdf. 

^  See  Consumers  Union,  Notice  of  Security  Breach  State  Laws  (Last  updated  August  21,  2007)  at 
http://www.consumersunion.org/campaigns/Breach_laws_May05.pdf. 

®  See  State  Security  Breach  Notification  Laws,  National  Conference  of  State  Legislatures  at 
http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm. 

’  See  Timothy  P.  Tobin,  In  Response  To  TJX  Data  Breach,  One  State  Enacts  Legislation  Imposing  New  Security  and 
Liability  Obligations;  Similar  Bills  Pending  in  Five  Other  States,  at  http://privacylaw.proskauer.com/.  The  Minnesota 
bill  was  signed  into  law  on  May  21,  2007.  2007  Minn.  Laws  Ch.  108,  H.F.  1758. 

*  Sensitive  personal  information  generally  includes  an  individual’s  name,  address,  or  telephone  number,  in  conjunction 
with  the  individual’s  Social  Security  number,  driver’s  license  number,  account  number,  credit  or  debit  card  number,  or 
a  personal  identification  number  or  password. 

®  Privacy  Rights  Clearinghouse,  A  Chronology  of  Data  Breaches,  at  http://www.privacyrights.org/ar/ 
ChronDataBreaches.htm. 

Tom  Zeller,  An  Ominous  Milestone:  100  Million  Data  Leaks,  N.  Y.  Times,  Dec.  18,  2006,  at  C3. 

’*  U.S.  Securities  and  Exchange  Commission,  Form  10-K  Annual  Report:  The  TJX  Cos.,  Inc.,  http://www.sec.gov/ 
Archives/edgar/data/109198/000095013507001906/b64407tjel0vk.htm. 
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Identity  theft  involves  the  misuse  of  any  identifying  information,  which  could  include  name, 

SSN,  account  number,  password,  or  other  information  linked  to  an  individual,  to  commit  a 
violation  of  federal  or  state  law/^  According  to  the  Federal  Trade  Commission,  identity  theft  is 
the  most  common  complaint  from  consumers  in  all  50  states,  and  accounts  for  over  35%  of  the 
total  number  of  complaints  the  Identity  Theft  Data  Clearinghouse  received  for  calendar  years 
2004,  2005,  and  2006.  In  calendar  year  2006,’^  of  the  674,354  complaints  received,  246,035  or 
36%  were  identity  theft  complaints. With  continued  media  reports  of  data  security  breaches,'^ 
concerns  about  new  cases  of  identity  theft  are  widespread. 

These  public  disclosures  have  heightened  interest  in  the  security  of  sensitive  personal 
information;'®  security  of  computer  systems;  applicability  of  federal  laws  to  the  protection  of 
sensitive  personal  information;  adequacy  of  enforcement  tools  available  to  law  enforcement 
officials  and  federal  regulators;  business  and  regulation  of  data  brokers; liability  of  retailers, 
credit  card  issuers,  payment  processors,  banks,  and  furnishers  of  credit  reports  for  costs  arising 
from  data  breaches;  remedies  available  to  individuals  whose  personal  information  was  accessed 
without  authorization;'*  prosecution  of  identity  theft  crimes  related  to  data  breaches;  and  criminal 
liability  of  persons  responsible  for  unauthorized  access  to  computer  systems.'^ 


Federal  Information  Security  and  Data  Breach 
Notification  Laws 

The  following  report  describes  information  security  and  data  breach  notification  requirements 
included  in  the  Privacy  Act,  the  Federal  Information  Security  Management  Act,  Office  of 
Management  and  Budget  Guidance,  the  Veterans  Affairs  Information  Security  Act,  the  Health 
Insurance  Portability  and  Accountability  Act,  the  Gramm-Leach-Bliley  Act,  the  Federal  Trade 
Commission  Act,  and  the  Fair  Credit  Reporting  Act. 


Federal  Sector 

A  newly  enacted  federal  law  and  recently  issued  federal  guidance  require  federal  agencies  that 
collect  sensitive  personal  information  to  implement  enhanced  information  security  programs  and 
provide  notice  to  persons  affected  by  data  security  breaches.  The  Veterans  Affairs  Information 


P.L.  105-318,  Identity  Theft  Assumption  and  Deterrence  Act;  18  U.S.C.  §  1028. 

The  last  year  for  which  Identity  Theft  Victim  Complaint  Data  is  available. 

Federal  Trade  Commission,  Identity  Theft  Victim  Complaint  Data,  Feb.  7,  2007,  at  http://www.ftc.gov/bcp/edu/ 
microsites/idtheft/downloads/clearinghouse_2006.pdf. 

See  Nancy  Trejos,  “Identity  Theft  Gets  Personal:  When  a  Debit  Card  Number  Is  Stolen,  America’s  New  Crime  Wave 
Hits  Home,”  Washington  Post  at  FOl  (Jan.  13,  2008). 

BNA  Privacy  &  Security  Law  Report,  Data  Security  Legislation  Expected  to  Face  Big  Challenges,  8  PVLR  51,  Jan. 
12,  2009. 

See  U.S.  Government  Accountability  Office,  Personal  Information:  Key  Federal  Privacy  Laws  Do  Not  Require 
Information  Resellers  to  Safeguard  All  Sensitive  Data  56,  GAO-06-674,  June  26,  2006,  at  http://www.gao.gov/ 
new.items/d06674.pdf. 

**  See  CRS  Report  RL31919,  Federal  Laws  Related  to  Identity  Theft,  updated  by  Gina  Marie  Stevens. 

See  CRS  Report  97-1025,  Cybercrime:  An  Overview  of  the  Federal  Computer  Fraud  and  Abuse  Statute  and  Related 
Federal  Criminal  Laws,  by  Charles  Doyle. 
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Security  Act  of  2006  was  enacted  to  prevent  and  respond  to  data  breaches  in  the  Department  of 
Veterans  Affairs.  The  2007  Office  of  Management  and  Budget  memorandum  on  “Safeguarding 
Against  and  Responding  to  the  Breach  of  Personally  Identifiable  Information”  requires  all  federal 
agencies  to  implement  a  breach  notification  policy  to  safeguard  personally  identifiable 
information. 

Privacy  Act 

The  Privacy  Act  is  the  principal  law  governing  the  federal  government’s  information  privacy 
program.  Other  relevant  federal  laws  include  the  Computer  Matching  and  Privacy  Protection  Act 
of  1988,^°  and  Section  208  of  the  E-Govemment  Act  of  2002  which  requires  agencies  to  conduct 
privacy  impact  assessments  on  new  information  technology  systems  and  electronic  information 
collections.^^  The  Privacy  Act  of  1974^^  governs  the  collection,  use,  and  dissemination  of  a 
“record”  about  an  “individual”  maintained  by  federal  agencies  in  a  “system  of  records.”  The 
act  defines  a  “record”  as  any  item,  collection,  or  grouping  of  information  about  an  individual  that 
is  maintained  by  an  agency  and  contains  his  or  her  name  or  another  personal  identifier.  In  order 
for  an  agency  record  to  be  protected  by  the  Privacy  Act,  it  must  be  retrieved  by  individual  name 
or  individual  identifier.  The  Privacy  Act  also  applies  to  systems  of  records  created  by  government 
contractors.^®  The  Privacy  Act  does  not  apply  to  private  databases. 

The  Privacy  Act  prohibits  the  disclosure  of  any  record  maintained  in  a  system  of  records  to  any 
person  or  agency  without  the  written  consent  of  the  record  subject,  unless  the  disclosure  falls 
within  one  of  twelve  statutory  exceptions.  The  act  allows  most  individuals  to  seek  access  to 
records  about  themselves,  and  requires  that  personal  information  in  agency  files  be  accurate, 
complete,  relevant,  and  timely. The  subject  of  a  record  may  challenge  the  accuracy  of 
information.  The  Privacy  Act  requires  that  when  agencies  establish  or  modify  a  system  of  records, 
they  publish  a  “system-of-records  notice”  in  the  Federal  Register.^* 

Each  agency  that  maintains  a  system  of  records  is  required  to  “establish  appropriate 
administrative,  technical,  and  physical  safeguards  to  insure  the  security  and  confidentiality  of 
records  and  to  protect  against  any  anticipated  threats  or  hazards  to  their  security  or  integrity 
which  could  result  in  substantial  harm,  embarrassment,  inconvenience,  or  unfairness  to  any 
individual ... 


5  U.S.C.  §  552a  note. 

44  U.S.C.  §  3501  note. 

5  U.S.C.  §  552a. 

5  U.S.C.  §  552a(a)(4). 

“The  term  “individual”  means  a  citizen  of  the  United  States  or  an  alien  lawfully  admitted  for  permanent  residence.”  5 
U.S.C.  §  552a(2). 

The  act  defines  “system  of  records”  as  a  group  of  records  under  the  control  of  any  agency  from  which  information  is 
retrieved  by  the  name  of  the  individual  or  by  an  individual  identifier.  Id  at  §  552a(a)(5). 

5  U.S.C.  §  552(m). 

5  U.S.C.  §  552a(e)(5). 

The  Federal  Register  notice  must  identify,  among  other  things,  the  type  of  data  collected,  the  types  of  individuals 
about  whom  information  is  collected,  the  intended  “routine”  uses  of  data,  and  procedures  that  individuals  can  use  to 
review  and  correct  personal  information.  5  U.S.C.  §  552e(4). 

^‘’5U.S.C.  §  552a(e)(10). 


Congressional  Research  Service 


4 


Federal  Information  Security  and  Data  Breach  Notification  Laws 


The  Privacy  Act  provides  legal  remedies  that  permit  an  individual  to  seek  enforcement  of  the 
rights  granted  under  the  act.  The  individual  may  bring  a  civil  suit  against  the  agency.  The  court 
may  order  the  agency  to  amend  the  individual’s  record,  enjoin  the  agency  from  withholding  the 
individual’s  records,  and  may  award  actual  damages  of  $1,000  or  more  to  the  individual  for 
intentional  or  wilful  violations. Courts  may  also  assess  attorneys  fees  and  costs.  The  act  also 
contains  criminal  penalties;  federal  employees  who  fail  to  comply  with  the  act’s  provisions  may 
he  subjected  to  criminal  penalties. 

The  Office  of  Management  and  Budget  (0MB)  is  required  to  prescribe  guidelines  and  regulations 
for  the  use  by  agencies  in  implementing  the  act,  and  provide  assistance  to  and  oversight  of  the 
implementation  of  the  act.^^ 

Federal  Information  Security  Management  Act 

FISMA  is  the  principal  law  governing  the  federal  government’s  information  security  program. 
Title  III  of  the  E-Government  Act  of  2002,  the  Federal  Information  Security  Management  Act  of 
2002  (FISMA)  requires  federal  government  agencies  to  provide  information  security 
protections  for  agency  information  and  information  systems. Agencies  are  required  to  develop, 
document,  and  implement  an  agency  wide  program  “providing  information  security  protections 
commensurate  with  the  risk  and  magnitude  of  the  harm  resulting  from  unauthorized  access,  use, 
disclosure,  disruption,  modification,  or  destruction  of  (i)  information  collected  or  maintained  by 
or  on  behalf  of  the  agency;  and  (ii)  information  systems  used  or  operated  by  an  agency  or  by  a 
contractor  of  an  agency  or  other  organization  on  behalf  of  an  agency.”^"^ 

The  agency’s  information  security  plan  also  must  include  procedures  for  detecting,  reporting,  and 
responding  to  security  incidents;  notifying  and  consulting  with  the  Federal  information  security 
incident  center  and  with  law  enforcement  agencies  and  relevant  Offices  of  Inspector  General. 

The  National  Institute  of  Standards  and  Technology  (NIST)  is  responsible  for  developing 
standards  and  guidelines  for  providing  adequate  information  security  for  all  agency  operations 
and  assets,  except  for  national  security  systems.  Agencies  are  required  to  comply  with  the 
information  security  standards  developed  by  NIST.^®  Agencies  must  also  conduct,  annually,  an 
independent  evaluation  of  their  security  programs.  The  evaluations  are  forwarded  to  the  Director 
of  the  Office  of  Management  and  Budget,  for  an  annual  report  to  Congress.^’  The  Director’s 
authorities  do  not  include  national  security  systems. 


Shortly  after  the  breach  of  the  personal  data  of  26.5  million  veterans  in  2006  by  the  Department  of  Veterans  Affairs, 
veterans  groups  filed  a  class-action  lawsuit  alleging  violations  of  the  Administrative  Procedure  Act  and  the  Privacy 
Act.  Vietnam  Veterans  of  America,  Inc.  et  al.  V.  Nicholson,  No.  l:06-cv-01038-JR  (D.  D.C.  filed  June  6,  2006). 

5  U.S.C.  §  552a(v).  40  Fed.  Reg.  28976  (July  9,  1975). 

Title  III  of  the  E-Government  Act  of  2002,  P.L.  107-347;  44  U.S.C.  §  3541  et  seq. ;  see  CRS  Report  RL32357, 
Computer  Security:  A  Summary  of  Selected  Federal  Laws,  Executive  Orders,  and  Presidential  Directives,  by  John  D. 
Moteff. 

Information  security  means  protecting  information  and  information  systems  from  unauthorized  access,  use, 
disclosure,  disruption,  modification,  or  destruction  in  order  to  provide  integrity,  confidentiality,  and  availability.  44 
U.S.C.  §  3542. 

44  U.S.C.  §  3544(a)(1)(A). 

44  U.S.C.  §  3544(b)(7). 

44  U.S.C.  §  3544(a)(1)(B);  40  U.S.C.  §  11331. 

See  generally  Information  Security:  Agencies  Report  Progress,  but  Sensitive  Data  Remain  at  Risk:  Hearings  Before 
(continued...) 
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Agency  heads  are  responsible  for  compliance  with  FISMA’s  requirements  and  related  information 
security  policies,  procedures,  standards,  and  guidelines,  and  for  ensuring  that  senior  agency 
officials  provide  information  security.  The  authority  to  ensure  compliance  is  delegated  to  the 
agency  Chief  Information  Officer  (CIO).  FISMA  also  assigns  specific  policy  and  oversight 
responsibilities  to  the  Office  of  Management  and  Budget  (0MB). 

Office  of  Management  and  Budget  "Breach  Notification  Policy" 

In  response  to  recommendations  from  the  President’s  Identity  Theft  Task  Force,^^  the  Office  of 
Management  and  Budget  issued  guidance  in  May  2007  for  federal  agencies  on  “Safeguarding 
Against  and  Responding  to  the  Breach  of  Personally  Identifiable  Information.”"*®  The  0MB 
Memorandum  M-07-16  requires  all  federal  agencies  to  implement  a  breach  notification  policy  to 
safeguard  “personally  identifiable  information”  by  August  22,  2007  to  apply  to  both  electronic 
systems  and  paper  documents.*'  To  formulate  their  policy,  agencies  are  directed  to  review 
existing  privacy  and  security  requirements,  and  include  requirements  for  incident  reporting  and 
handling  and  external  breach  notification.  In  addition,  agencies  are  required  to  develop  policies 
concerning  the  responsibilities  of  individuals  authorized  to  access  personally  identifiable 
information. 

Attachment  1  of  the  0MB  memorandum.  Safeguarding  Against  the  Breach  of  Personally 
Identifiable  Information,  reemphasizes  agencies’  responsibilities  under  existing  law  (e.g.,  the 
Privacy  Act  and  FISMA),  executive  orders,  regulations,  and  policy  to  safeguard  personally 
identifiable  information  and  train  employees.  Two  new  privacy  requirements  and  five  new 
security  requirements  are  established.  To  implement  the  new  privacy  requirements,  agencies  are 
required  to  review  current  holdings  of  all  personally  identifiable  information  to  ensure  that  they 


(...continued) 

the  Subcomms.  of  the  House  Comm,  on  Oversight  and  Government  Reform,  1 10*  Cong.  6-8  (2007),  available  at 
http://www.gao.gov/new.items/d07935t.pdf. 

FISMA  defines  a  national  security  system,  in  statute,  as: 

Any  computer  system  (including  any  telecommunications  system)  used  or  operated  by  an  agency  or  by  a  contractor  of 
an  agency,  or  other  organization  on  behalf  of  an  agency — 

(i)  the  function  of  which — 

(I)  involves  intelligence  activities; 

(II)  involves  cryptologic  activities  related  to  national  security; 

(III)  involves  command  and  control  of  military  forces; 

(IV)  involves  equipment  that  is  an  integral  part  of  a  weapon  or  weapons  system; 

(V)  ...is  critical  to  the  direct  fulfillment  of  military  or  intelligence  missions;  or 

(ii)  is  protected  at  all  times  by  procedures  established  for  information  that  have  been  specifically  authorized  under 
criteria  established  by  an  Executive  Order  or  an  Act  of  Congress  to  be  kept  classified  in  the  interest  of  national  defense 
or  foreign  policy. 

The  definition  explicitly  excludes  systems  that  are  used  for  routine  administrative  and  business  applications  (including 
payroll,  finance,  logistics,  and  personnel  management  applications).  P.L.  107-347, §  301(b)(1). 

Exec.  Order  No.  13,402,  71  ER  27945  (2006). 
http://www.whitehouse.gOv/omb/memoranda/fy2007/m07-16.pdf. 

The  memo  defines  the  term  “personally  identifiable  information”  as  “information  which  can  be  used  to  distinguish  or 
trace  an  individual’s  identity,  such  as  their  name,  social  security  number,  biometric  records,  etc.  alone,  or  when 
combined  with  other  personal  or  identifying  information  which  is  linked  or  linkable  to  a  specific  individual,  such  as 
date  and  place  of  birth,  mother’s  maiden  name,  etc.”  Id. 
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are  accurate,  relevant,  timely,  and  complete,  and  reduced  to  the  minimum  necessary  amount. 
Within  120  days,  agencies  must  establish  a  plan  to  eliminate  the  unnecessary  collection  and  use 
of  social  security  numbers  within  eighteen  months.  Agencies  must  implement  the  following  five 
new  security  requirements  (applicable  to  all  federal  information):  encrypt  all  data  on  mobile 
computers/devices  carrying  agency  data;  employ  two-factor  authentication  for  remote  access;  use 
a  “time-out”  function  for  remote  access  and  mobile  devices;  log  and  verify  all  computer-readable 
data  extracts  from  databases  holding  sensitive  information;  and  ensure  that  individuals  and 
supervisors  with  authorized  access  to  personally  identifiable  information  annually  sign  a 
document  describing  their  responsibilities."^^ 

Attachment  2  of  the  0MB  Memorandum,  Incident  Reporting  and  Handling  Requirements,  applies 
to  the  breach  of  personally  identifiable  information  in  electronic  or  paper  format.  Agencies  are 
required  to  report  all  incidents  involving  personally  identifiable  information  within  one  hour  of 
discovery/detection;  and  publish  a  “routine  use”"^^  under  the  Privacy  Act  applying  to  the 
disclosure  of  information  to  appropriate  persons  in  the  event  of  a  data  breach."*"^ 

Attachment  3,  External  Breach  Notification,  identifies  the  factors  agencies  should  consider  in 
determining  when  notification  outside  the  agency  should  be  given  and  the  nature  of  the 
notification.  Notification  may  not  be  necessary  for  encrypted  information.  Each  agency  is 
directed  to  establish  an  agency  response  team.  Agencies  must  assess  the  likely  risk  of  harm 
caused  by  the  breach  and  the  level  of  risk.  Agencies  should  provide  notification  without 
unreasonable  delay  following  the  detection  of  a  breach,  but  are  permitted  to  delay  notification  for 
law  enforcement,  national  security  purposes,  or  agency  needs.  Attachment  3  also  includes 
specifics  as  to  the  content  of  the  notice,  criteria  for  determining  the  method  of  notification,  and 
the  types  of  notice  that  may  be  used. 

Attachment  4,  Rules  and  Consequences  Policy,  directs  each  agency  to  develop  and  implement  a 
policy  outlining  rules  of  behavior  and  identifying  consequences  and  corrective  actions  available 
for  failure  to  follow  these  rules.  Supervisors  may  be  subject  to  disciplinary  action  for  failure  to 
take  appropriate  action  upon  discovering  the  breach  or  failure  to  take  required  steps  to  prevent  a 
breach  from  occurring.  Rules  of  behavior  and  corrective  actions  should  address  the  failure  to 
implement  and  maintain  security  controls  for  personally  identifiable  information;  exceeding 
authorized  access  to,  or  disclosure  to  unauthorized  persons  of,  personally  identifiable 
information;  failure  to  report  any  known  or  suspected  loss  of  control  or  unauthorized  disclosure 
of  personally  identifiable  information;  and  for  managers,  failure  to  adequately  instruct,  train,  or 
supervise  employees  in  their  responsibilities.  Consequences  may  include  reprimand,  suspension, 
removal,  or  other  actions  in  accordance  with  applicable  law  and  agency  policy. 

Veterans  Affairs  Information  Security  Act 

Title  IX  of  RE.  109-461,"^^  the  Veterans  Affairs  Information  Security  Act,  requires  the  Veterans 
Administration  (VA)  to  implement  agency-wide  information  security  procedures  to  protect  the 


The  first  four  information  security  requirements  were  adopted  in  an  earlier  memorandum,  See  0MB  Memo  06-16, 
“Protection  of  Sensitive  Agency  Information”  at  http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf. 

The  Privacy  Act  defines  a  routine  use  to  mean  “with  respect  to  the  disclosure  of  a  record,  the  use  of  such  record  for  a 
purpose  which  is  compatible  with  the  purpose  for  which  it  was  collected.”  5  U.S.C.  §  552a(a)(7). 

OMB  Memorandum  M-07-16,  p.l  1. 

The  Veterans  Benefits,  Health  Care,  and  Information  Technology  Act  of  2006,  P.L.  109-461  (December  22,  2006); 
(continued...) 
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VA’s  “sensitive  personal  information”  (SPI)"^®  and  VA  information  systems.  P.L.  109-461  was 
enacted  to  respond  to  the  May  2006  breach  of  the  personal  data  of  26.5  million  veterans  caused 
by  the  theft  of  a  VA  employee’s  hard  drive  from  his  home.”*’ 

Pursuant  to  P.L.  109-461,  the  VA’s  information  security  program  is  to  provide  for  the 
development  and  maintenance  of  cost  effective  security  controls  to  protect  VA  information,  in  any 
medium  or  format,  and  VA  information  systems."^*  The  information  security  program  is  required 
to  include  the  following  elements:  periodic  assessments  of  the  risk  and  magnitude  of  harm  that 
could  result  from  the  unauthorized  access,  use,  disclosure,  disruption,  modification,  or  destruction 
of  VA  information  and  information  systems;  policies  and  procedures  based  on  risk  assessments 
that  cost-effectively  reduce  security  risks  and  ensure  information  security;  implementation  of 
security  controls  to  protect  the  confidentiality,  integrity,  and  availability  of  VA  information  and 
information  systems;  plans  for  security  for  networks,  facilities,  systems,  or  groups  of  information 
systems;  annual  security  awareness  training  for  employees  and  contractors  and  users  of  VA 
information  and  information  systems;  periodic  testing  of  security  controls;  a  process  for  remedial 
actions;  procedures  of  detecting,  reporting,  and  responding  to  security  incidents;  and  plans  and 
procedures  to  ensure  continuity  of  operations.  Additionally,  the  VA  Secretary  is  directed  to 
comply  with  FISMA,  and  other  security  requirements  issued  by  NIST  and  0MB.  The  law  also 
establishes  specific  information  security  responsibilities  for  the  VA  Secretary,  information 
technology  and  information  security  officials,  VA  information  owners,  other  key  officials,  users 
of  VA  information  systems,  and  the  VA  Inspector  General. 

P.L.  109-461  requires  that  in  the  event  of  a  “data  breach”"^^  of  sensitive  personal  information 
processed  or  maintained  by  the  VA  Secretary,  the  Secretary  must  ensure  that  as  soon  as  possible 
after  discovery  that  either  a  non-VA  entity  or  the  VA’s  Inspector  General  conduct  an  independent 
risk  analysis  of  the  data  breach  to  determine  the  level  of  risk  associated  with  the  data  breach  for 
the  potential  misuse  of  any  sensitive  personal  information.^®  Based  upon  the  risk  analysis,  if  the 
Secretary  determines  that  a  reasonable  risk  exists  of  the  potential  misuse  of  sensitive  personal 
information,  the  Secretary  must  provide  credit  protection  services  in  accordance  with  regulations 
issued  by  the  VA  Secretary.^' 

The  VA  Secretary  is  required  to  report  to  the  Veterans  Committees  the  findings  of  the  independent 
risk  analysis  for  each  data  breach,  the  Secretary’s  determination  regarding  the  risk  for  potential 


(...continued) 

38  U.S.C.  §§  5722  et  seq. 

“The  term  “sensitive  personal  information”,  with  respect  to  an  individual,  means  any  information  about  the 
individual  maintained  by  an  agency,  including  the  following:  (A)  Education,  financial  transactions,  medical  history, 
and  criminal  or  employment  history.  (B)  Information  that  can  be  used  to  distinguish  or  trace  the  individual’s  identity, 
including  name,  social  security  number,  date  and  place  of  birth,  mother’s  maiden  name,  or  biometric  records.”  P.L. 
109-461,  §  902. 

See  CRS  Report  RL33612,  Department  of  Veterans  Affairs:  Information  Security  and  Information  Technology 
Management  Reorganization,  by  Sidath  Viranga  Panangala. 

38  U.S.C.  §  5722. 

“Data  breach  means  the  loss  or  theft  of,  or  other  unauthorized  access  to,  other  than  an  unauthorized  access  incidental 
to  the  scope  of  employment,  data  containing  sensitive  personal  information,  in  electronic  or  printed  form,  that  results  in 
the  potential  compromise  of  the  confidentiality  or  integrity  of  the  data.”  38  U.S.C.  §  5727(4). 

^°38  U.S.  C.  §  5724(a)(1). 

38  U.S.  C.  §  5724(a)(2). 
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misuse  of  sensitive  personal  data,  and  the  provision  of  credit  protection  services. If  the  breach 
involved  the  sensitive  data  of  DOD  civilian  or  enlisted  personnel  the  Secretary  must  also  report  to 
the  Armed  Services  Committees.^^  In  addition,  quarterly  reports  are  to  he  submitted  by  the  VA 
Secretary  to  the  Veterans  Committees  of  Congress  on  any  data  breach  of  sensitive  personal 
information  processed  or  maintained  by  the  VA  during  that  quarter.^'*  With  respect  to  the  breach  of 
SPI  that  the  VA  Secretary  determines  to  be  significant,  notice  must  be  provided  promptly 
following  the  discovery  of  such  data  breach  to  the  Veterans  Committees,  and  if  the  breach 
involved  the  SPI  of  DOD  civilian  or  enlisted  personnel  also  to  the  Armed  Service  Committees.^^ 

PL.  109-461  also  requires  the  VA  to  include  data  security  requirements  in  all  contracts  with 
private-sector  service  providers  that  require  access  to  sensitive  personal  information.^®  All 
contracts  involving  access  to  sensitive  personal  information  must  include  a  prohibition  of  the 
disclosure  of  such  information  unless  the  disclosure  is  lawful  and  expressly  authorized  under  the 
contract;  and  the  condition  that  the  contractor  or  subcontractor  notify  the  Secretary  of  any  data 
breach  of  such  information.  In  addition,  each  contract  must  provide  for  liquidated  damages  to  be 
paid  by  the  contractor  to  the  Secretary  in  the  event  of  a  data  breach  with  respect  to  any  sensitive 
personal  information,  and  that  money  shall  be  made  available  exclusively  for  the  purpose  of 
providing  credit  protection  services. 

PL.  109-461  requires  the  Secretary  of  the  VA  within  180  days  of  enactment  (by  June  22,  2007)  to 
issue  interim  regulations  concerning  notification,  data  mining,  fraud  alerts,  data  breach  analysis, 
credit  monitoring,  identity  theft  insurance,  and  credit  protection  services.®^  Interim  final 
regulations  were  issued  by  the  VA  Deputy  Secretary  on  June  22,  2007  to  address  data  breach 
security  regarding  sensitive  personal  information  processed  or  maintained  by  the  VA.®*  The  final 
regulations,  issued  April  2008,  adopted  the  interim  rule  without  change.®^  The  regulations  do  not 
supercede  the  requirements  imposed  by  other  laws  such  as  the  Privacy  Act,  the  Health  Insurance 
Portability  and  Accountability  Act,  the  Fair  Credit  Reporting  Act,  and  their  implementing  rules. 


Private  Sector 

Other  federal  laws,  such  as  the  Health  Insurance  Portability  and  Accountability  Act  and  the 
Gramm-Leach-Bliley  Act,  require  private  sector  covered  entities  to  maintain  administrative, 
technical,  and  physical  safeguards  to  ensure  the  confidentiality,  integrity,  and  availability  of 
personal  information. 


38  U.S.C.  §  5724(c)(1). 

38  U.S.C.  §  5724(c)(2). 

38  U.S.C.  §  5726. 

38  U.S.C.  §  5724(b). 

“  38  U.S.C.  §  5725. 

38  U.S.  C.  §  5724(b). 

72  Fed.  Reg.  34395  (2007),  38  C.F.R.  §  75,  Subpart  B.  The  interim  final  regulations  implement  the  sections  of  P.L. 
109-461  on  data  breaches,  credit  protections  services,  and  reporting  requirements.  A  separate  rulemaking  will  be 
commenced  to  issue  regulations  to  implement  sections  of  P.L.  109-461  requiring  a  VA  information  security  program 
and  establishing  information  security  responsibilities.  Id. 

73  Fed.  Reg.  19747  (Apr.  11,  2008). 
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Health  Insurance  Portability  and  Accountability  Act 

Part  C  of  the  Health  Insurance  Portahility  and  Accountahility  Act  of  1996  (HIPAA),^°  requires 
“the  development  of  a  health  information  system  through  the  establishment  of  standards  and 
requirements  for  the  electronic  transmission  of  certain  health  information.”^^  These 
“Administrative  Simplification”  provisions  require  the  Secretary  of  Health  and  Human  Services 
to  adopt  national  standards  to:  facilitate  the  electronic  exchange  of  information  for  certain 
financial  and  administrative  transactions;  establish  code  sets  for  data  elements;  protect  the  privacy 
of  individually  identifiable  health  information;  maintain  administrative,  technical,  and  physical 
safeguards  for  the  security  of  health  information;  provide  unique  health  identifiers;  and  to  adopt 
procedures  for  the  use  of  electronic  signatures.®^ 

HIPAA  covered  entities — health  plans,  health  care  clearinghouses,  and  health  care  providers  who 
transmit  financial  and  administrative  transactions  electronically — are  required  to  comply  with  the 
national  standards  and  regulations  promulgated  pursuant  to  Part  C.®^  Under  HIPAA,  the  Secretary 
is  required  to  impose  a  civil  monetary  penalty  on  any  person  failing  to  comply  with  the 
Administrative  Simplification  provisions  in  Part  C.®"*  The  maximum  civil  money  penalty  (i.e.,  the 
fine)  for  a  violation  of  an  administrative  simplification  provision  is  $100  per  violation  and  up  to 
$25,000  for  all  violations  of  an  identical  requirement  or  prohibition  during  a  calendar  year.®® 
HIPAA  also  establishes  criminal  penalties  for  any  person  who  knowingly  and  in  violation  of  the 
Administrative  Simplification  provisions  of  HIPAA  uses  a  unique  health  identifier,  or  obtains  or 
discloses  individually  identifiable  health  information.®®  Enhanced  criminal  penalties  may  be 
imposed  if  the  offense  is  committed  under  false  pretenses,  with  intent  to  sell  the  information  or 
reap  other  personal  gain.  The  penalties  include  (1)  a  fine  of  not  more  than  $50,000  and/or 
imprisonment  of  not  more  than  one  year;  (2)  if  the  offense  is  under  false  pretenses,  a  fine  of  not 
more  than  $100,000  and/or  imprisonment  of  not  more  than  five  years;  and  (3)  if  the  offense  is 
with  intent  to  sell,  transfer,  or  use  individually  identifiable  health  information  for  commercial 
advantage,  personal  gain,  or  malicious  harm,  a  fine  of  not  more  than  $250,000  and/or 
imprisonment  of  not  more  than  10  years.®’  These  penalties  do  not  affect  other  penalties  imposed 
by  other  federal  programs. 

Privacy  Standard 

HIPAA  also  addressed  the  privacy  of  individually  identifiable  health  information  and  required 
adoption  of  a  national  privacy  standard.®^  HHS  issued  final  Standards  for  Privacy  of  Individually 


“  P.L.  104-191,  110  Slat.  1936  (1996),  codified  in  part  at  42  U.S.C.  §§  1320d  et  seq.;  see  CRS  Report  RL33989, 
Enforcement  of  the  HIPAA  Privacy  Rule,  by  Gina  Marie  Stevens. 

42  U.S.C.  §§  1320d— 1320d-8. 

42  U.S.C.  §§  1320d-2(a)-(d).  HHS  has  issued  final  regulations  to  adopt  national  standards  for  transactions  and  code 
sets,  privacy,  security,  and  employer  identifiers. 

42  U.S.C.  §  1320d-4(b)  requires  compliance  with  the  regulations  within  a  certain  time  period  by  “each  person  to 
whom  the  standard  or  implementation  specification  [adopted  or  established  under  sections  1320d-l  and  1320d-2] 
applies. 

'’^2  U.S.C.  §  1320d-5(a). 

“42  U.S.C.  §  1320d-5(a)(l). 

“42  U.S.C.  §  1320d-6. 

“42  U.S.C.  §  1320d-6(b). 

HIPAA  required  a  privacy  standard  that  would  address  the  rights  of  the  subject  of  individually  identifiable  health 
(continued...) 
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Identifiable  Health  Information,  known  as  the  Privacy  Rule,  on  April  14,  2003.®^  The  HIPAA 
Privacy  Rule  is  applicable  to  health  plans,  health  care  clearinghouses,  and  health  care  providers 
who  transmit  financial  and  administrative  transactions  electronically.  The  rule  regulates  protected 
health  information  that  is  “individually  identifiable  health  information”^®  transmitted  by  or 
maintained  in  electronic,  paper,  or  any  other  medium.  The  definition  of  PHI  excludes 
individually  identifiable  health  information  contained  in  certain  education  records  and 
employment  records  held  by  a  covered  entity  in  its  role  as  employer. 

The  HIPAA  Privacy  Rule  limits  the  circumstances  under  which  an  individual’s  protected  health 
information  may  be  used  or  disclosed  by  covered  entities.  A  covered  entity  is  permitted  to  use  or 
disclose  protected  health  information  without  patient  authorization  for  treatment,  payment,  or 
health  care  operations.’^  For  other  purposes,  a  covered  entity  may  only  use  or  disclose  PHI  with 
patient  authorization  subject  to  certain  exceptions.’^  Exceptions  permit  the  use  or  disclosure  of 
PHI  without  patient  authorization  or  prior  agreement  for  public  health,  judicial,  law  enforcement, 
and  other  specialized  purposes.’”*  In  certain  situations  that  would  otherwise  require  authorization, 
a  covered  entity  may  use  or  disclose  PHI  without  authorization  provided  that  the  individual  is 
given  the  opportunity  to  object  or  agree  prior  to  the  use  or  disclosure.’^ 

The  HIPAA  Privacy  Rule  also  provides  for  accounting  of  certain  disclosures;’®  requires  covered 
entities  to  make  reasonable  efforts  to  disclose  only  the  minimum  information  necessary;  requires 
most  covered  entities  to  provide  a  notice  of  their  privacy  practices;”  establishes  individual  rights 
to  review  and  obtain  copies  of  protected  health  information;’*  requires  covered  entities  to 
safeguard  protected  health  information  from  inappropriate  use  or  disclosure;  and  gives 
individuals  the  right  to  request  changes  to  inaccurate  or  incomplete  protected  health 
information.’® 

The  HIPAA  Privacy  Rule  requires  a  covered  entity  to  maintain  reasonable  and  appropriate 
administrative,  technical,  and  physical  safeguards  to  prevent  use  or  disclosure  of  protected  health 
information  in  violation  of  the  Privacy  Rule.*®  The  Office  of  Civil  Rights  (OCR)  in  HHS  enforces 
the  Privacy  Rule.** 


(...continued) 

information,  the  procedures  established  for  the  exercise  of  such  rights,  and  authorized  or  required  uses  and  disclosures 
of  such  information.  P.L.  104-191,  Title  II,  §  264,  Aug.  21,  1996,  110  Stat.  2033,  42  U.S.C.  §  1320d-2  (note). 

®  45  C.  F.R.  Part  164  Subpart  E — Privacy  of  Individually  Identifiable  Health  Information. 

™45  C.F.R.  §  160.103. 

See  South  Carolina  Medical  Assoc,  v.  Thompson,  327  F.3d  346  (4*  Cir.  2003)(HIPAA  could  be  interpreted  to 
include  non-electronic  medical  records). 


72 

45 

C.F.R.  § 

164.506. 

73 

45 

C.F.R.  § 

164.508. 

74 

45 

C.F.R.  § 

164.5 12(a)-(l). 

75 

45 

C.F.R.  § 

164.510. 

76 

45 

C.F.R.  § 

164.528. 

77 

45 

C.F.R.  § 

164.520. 

78 

45 

C.F.R.  § 

164.524. 

79 

45 

C.  F.R.  § 

164.526. 

80 

45 

C.F.R.  § 

164.530(c). 

81 

65 

Fed.  Reg 

:.  82381. 
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Security  Standard 

Regulations  governing  security  standards  under  HIPAA  require  health  care  covered  entities  to 
maintain  administrative,  technical,  and  physical  safeguards  to  ensure  the  confidentiality,  integrity, 
and  availability  of  electronic  “protected  health  information”^^;  to  protect  against  any  reasonably 
anticipated  threats  or  hazards  to  the  security  or  integrity  of  such  information,  as  well  as  protect 
against  any  unauthorized  uses  or  disclosures  of  such  information.*^  The  Centers  for  Medicare  and 
Medicaid  Services  (CMS)  has  been  delegated  authority  to  enforce  the  HIPAA  Security  Standard.*"^ 

The  Security  Rule  applies  only  to  protected  health  information  in  electronic  form  (EPHI),  and 
requires  a  covered  entity  to  ensure  the  confidentiality,  integrity,  and  availability  of  all  EPHI  the 
covered  entity  creates,  receives,  maintains,  or  transmits.  Covered  entities  must  protect  against  any 
reasonably  anticipated  threats  or  hazards  to  the  security  or  integrity  of  such  information,  and  any 
reasonably  anticipated  uses  or  disclosures  of  such  information  that  are  not  permitted  or  required 
under  the  Privacy  Rule;  and  ensure  compliance  by  its  workforce.*^ 

The  Security  Rule  allows  covered  entities  to  consider  such  factors  as  the  cost  of  a  particular 
security  measure,  the  size  of  the  covered  entity  involved,  the  complexity  of  the  approach,  the 
technical  infrastructure  and  other  security  capabilities  in  place,  and  the  nature  and  scope  of 
potential  security  risks.  The  Security  Rule  establishes  “standards”  that  covered  entities  must  meet, 
accompanied  by  implementation  specifications  for  each  standard.  The  Security  Rule  identifies 
three  categories  of  standards:  administrative,  physical,  and  technical. 

The  Security  Rule  requires  covered  entities  to  enter  into  agreements  with  business  associates  who 
create,  receive,  maintain  or  transmit  EPHI  on  their  behalf.  Under  such  agreements,  the  business 
associate  must:  implement  administrative,  physical  and  technical  safeguards  that  reasonably  and 
appropriately  protect  the  confidentiality,  integrity  and  availability  of  the  covered  entity’s 
electronic  protected  health  information;  ensure  that  its  agents  and  subcontractors  to  whom  it 
provides  the  information  do  the  same;  and  report  to  the  covered  entity  any  security  incident  of 
which  it  becomes  aware.  The  contract  must  also  authorize  termination  if  the  covered  entity 
determines  that  the  business  associate  has  violated  a  material  term.  A  covered  entity  is  not  liable 
for  violations  by  the  business  associate  unless  the  covered  entity  knew  that  the  business  associate 
was  engaged  in  a  practice  or  pattern  of  activity  that  violated  HIPAA,  and  the  covered  entity  failed 
to  take  corrective  action. 


“The  term  “individually  identifiable  health  information”  means  any  information,  including  demographic  information 
collected  from  an  individual,  that  -  (A)  is  created  or  received  by  a  health  care  provider,  health  plan,  employer,  or  health 
care  clearinghouse;  and  (B)  relates  to  the  past,  present,  or  future  physical  or  mental  health  or  condition  of  an  individual, 
the  provision  of  health  care  to  an  individual,  or  the  past,  present,  or  future  payment  for  the  provision  of  health  care  to 
an  individual,  and  -  (i)  identifies  the  individual;  or  (ii)  with  respect  to  which  there  is  a  reasonable  basis  to  believe  that 
the  information  can  be  used  to  identify  the  individual.  42  U.S.C.  §  1320d(6). 

HIPAA  Security  Standards  for  the  Protection  of  Electronic  Personal  Health  Information,  45  C.F.R.  Part  164 
(February  20,  2003). 

See  generally.  Centers  for  Medicare  and  Medicaid  Services,  Security  Materials  at  http://www.cms.hhs.gov/ 
EducationMaterials/04_SecurityMaterials.asp#TopOfPage. 

“  45  C.F.R.  §  164.306(a). 
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Gramm-Leach-Bliley  Act 

Title  V  of  the  Gramm-Leach-Bliley  Act  of  1999  (GLBA)  requires  financial  institutions  to  provide 
customers  with  notice  of  their  privacy  policies,  and  requires  financial  institutions  to  safeguard  the 
security  and  confidentiality  of  customer  information,  to  protect  against  any  anticipated  threats  or 
hazards  to  the  security  or  integrity  of  such  records;  and  to  protect  against  unauthorized  access  to 
or  use  of  such  records  or  information  which  could  result  in  substantial  harm  or  inconvenience  to 
any  customer.^^  Financial  institutions  are  defined  as  businesses  that  are  engaged  in  certain 
“financial  activities”  described  in  Section  4(k)  of  the  BankHolding  Company  Act  of  1956  and 
accompanying  regulations.*’  Such  activities  include  traditional  banking,  lending,  and  insurance 
functions,  along  with  other  financial  activities.  Financial  institutions  are  prohibited  from 
disclosing  “nonpublic  personal  information”**  to  non-affiliated  third  parties  without  providing 
customers  with  a  notice  of  privacy  practices  and  an  opportunity  to  opt-out  of  the  disclosure.  A 
number  of  statutory  exceptions  are  provided  to  this  disclosure  rule,  including  that  financial 
institutions  are  permitted  to  disclose  nonpublic  personal  information  to  a  non-affiliated  third  party 
to  perform  services  for  or  functions  on  behalf  of  the  financial  institution. 

Privacy  Rule 

Regulations  implementing  GLBA’s  privacy  requirements  published  by  the  federal  banking 
regulators  govern  the  treatment  of  nonpublic  personal  information  about  consumers  by  financial 
institutions,*^  require  a  financial  institution  in  specified  circumstances  to  provide  notice  to 
customers  about  its  privacy  policies  and  practices,  describe  the  conditions  under  which  a  financial 
institution  may  disclose  nonpublic  personal  information  about  consumers  to  nonaffiliated  third 
parties,  and  provide  a  method  for  consumers  to  prevent  a  financial  institution  from  disclosing  that 
information  to  most  nonaffiliated  third  parties  by  “opting  out”  of  that  disclosure,  subject  to 

90 

exceptions. 


“  15  U.S.C.  §  6801  -  6809. 

12  U.S.C.  §  1843(k). 

**  (4)  Nonpublic  personal  information. 

(A)  The  term  “nonpublic  personal  information”  means  personally  identifiable  financial  information — 

(i)  provided  by  a  consumer  to  a  financial  institution; 

(ii)  resulting  from  any  transaction  with  the  consumer  or  any  service  performed  for  the  consumer;  or 

(iii)  otherwise  obtained  by  the  financial  institution. 

(B)  Such  term  does  not  include  publicly  available  information,  as  such  term  is  defined  by  the  regulations  prescribed 
under  section  6804  of  this  title. 

(C)  Notwithstanding  subparagraph  (B),  such  term — 

(i)  shall  include  any  list,  description,  or  other  grouping  of  consumers  (and  publicly  available  information  pertaining  to 
them)  that  is  derived  using  any  nonpublic  personal  information  other  than  publicly  available  information;  but 

(ii)  shall  not  include  any  list,  description,  or  other  grouping  of  consumers  (and  publicly  available  information  pertaining 
to  them)  that  is  derived  without  using  any  nonpublic  personal  information.  15  U.S.C.  §  6809(4). 

16  C.F.R.  Part  13  (FTC);  12  C.F.R.  Parts  40  (OCC),  216  (FRB),  332  (FDIC),  573  (OTS),  and  716  (NCUA). 

See  generally,  12  C.F.R.  225.28,  225.86. 
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FTC  Safeguards  Rule 

This  rule  implements  GLBA’s  requirements  for  entities  under  FTC  jurisdiction.  The  Safeguards 
Rule  applies  to  all  businesses,  regardless  of  size,  that  are  “significantly  engaged”  in  providing 
financial  products  or  services.  These  include,  for  example,  check-cashing  businesses,  payday 
lenders,  mortgage  brokers,  nonbank  lenders,  real  estate  appraisers,  and  professional  tax  preparers. 
The  Safeguards  Rule  also  applies  to  companies  like  credit  reporting  agencies  and  ATM  operators 
that  receive  information  about  the  customers  of  other  financial  institutions.  The  rule  requires 
financial  institutions  to  have  an  information  security  plan  that  “contains  administrative,  technical, 
and  physical  safeguards”  to  “insure  the  security  and  confidentiality  of  customer  information: 
protect  against  any  anticipated  threats  or  hazards  to  the  security  or  integrity  of  such  information; 
and  protect  against  unauthorized  access  to  or  use  of  such  information  that  could  result  in 
substantial  harm  or  inconvenience  to  any  customer.”®^  Using  its  authority  under  the  Safeguards 
Rule,  the  Commission  has  brought  a  number  of  enforcement  actions  to  address  the  failure  to 
provide  reasonable  and  appropriate  security  to  protect  consumer  information.^^ 

Information  Security  Guidelines 

Section  501(b)  of  GLBA  requires  the  banking  agencies  to  establish  standards  for  financial 
institutions  relating  to  administrative,  technical,  and  physical  safeguards  to  ensure  the  security, 
confidentiality,  and  integrity  of  customer  information,  protect  against  any  anticipated  threats  or 
hazards  to  the  security  or  integrity  of  such  information,  and  protect  against  unauthorized  access  to 
or  use  of  such  information  that  could  result  in  substantial  harm  or  inconvenience  to  any  customer. 

Interagency  Guidance  issued  by  the  federal  banking  regulators'^  applies  to  customer  information 
which  is  defined  as  “any  record  containing  nonpublic  personal  information  ...  about  a  customer, 
whether  in  paper,  electronic,  or  other  form,  that  is  maintained  by  or  on  behalf  of’  a  financial 
institution.”^"^  The  security  guidelines  direct  each  financial  institution  to  assess  the  risks  of 
reasonably  foreseeable  threats  that  could  result  in  unauthorized  disclosure,  misuse,  alteration,  or 
destruction  of  customer  information  and  customer  information  systems,  the  likelihood  and 
potential  damage  of  threats,  and  the  sufficiency  of  policies,  procedures,  customer  information 
systems,  and  other  controls.  Following  the  assessment  of  risks,  the  security  guidelines  require  a 
financial  institution  to  manage  and  control  the  risk  through  the  design  of  a  program  to  address  the 
identified  risks,  train  staff  to  implement  the  program,  regularly  test  the  key  controls,  systems,  and 
procedures  of  the  information  security  program,  and  develop  and  maintain  appropriate  measures 
to  dispose  of  customer  information.  The  security  guidelines  also  direct  every  financial  institution 
to  require  its  service  providers  by  contract  to  implement  appropriate  measures  designed  to  protect 
against  unauthorized  access  to  or  use  of  customer  information  that  could  result  in  substantial 
harm  or  inconvenience  to  any  customer.  Each  financial  institution  is  required  to  monitor. 


**  Standards  for  Insuring  the  Security,  Confidentiality,  Integrity  and  Protection  of  Customer  Records  and  Information, 
16  C.F.R.  Part  314. 

For  information  on  enforcement  actions  the  Commission  has  brought  involving  the  privacy  of  consumer  information 
under  Section  5  of  the  FTC  Act,  see  http://www.ftc.gov/privacy/privacyinitiatives/safeguards_enf.html. 

See  12  C.F.R.  Part  30,  App.  B  (national  banks);  12  C.F.R.  Part  208App.  D-2  and  Part  255,  App.  F  (state  member 
banks  and  holding  companies);  12  C.F.R.  Part  364,  App.  B  (state  non-member  banks);  12  C.F.R.  Part  570,  App.  B 
(savings  associations;  12  C.F.R.  Part  748,  App.  A  (credit  unions). 

See  Board  of  Governors  Federal  Reserve  System,  The  Commercial  Bank  Examination  Manual,  Supp.  27,  984-1034 
(May  2007),  at  http://www.federalreserve.gOv/boarddocs/SupManual/cbem/200705/0705cbem.pdf. 
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evaluate,  and  adjust  its  information  security  program  as  necessary.  Finally,  each  financial 
institution  is  required  to  report  to  its  board  at  least  annually  on  its  information  security  program, 
compliance  with  the  security  guidelines,  and  issues  such  as  risk  assessment,  risk  management  and 
control  decisions,  service  provider  arrangements,  results  of  testing,  security  breaches  or  violations 
and  management’s  responses,  and  recommendations  for  changes  in  the  information  security 
program. 

Response  Programs  for  Unauthorized  Access  to  Customer  Inf ormation  and 
Customer  Notice 

The  security  guidelines  recommend  implementation  of  a  risk-based  response  program,  including 
customer  notification  procedures,  to  address  unauthorized  access  to  or  use  of  customer 
information  maintained  by  a  financial  institution  or  its  service  provider  that  could  result  in 
substantial  harm  or  inconvenience  to  any  customer,  and  require  disclosure  of  a  data  security 
breach  if  the  covered  entity  concludes  that  “misuse  of  its  information  about  a  customer  has 
occurred  or  is  reasonably  possible.”^^  Pursuant  to  the  guidance,  substantial  harm  or  inconvenience 
is  most  likely  to  result  from  improper  access  to  “sensitive  customer  information.”^® 

At  a  minimum,  an  institution’s  response  program  should  contain  procedures  for:  assessing  the 
nature  and  scope  of  an  incident  and  identifying  what  customer  information  systems  and  types  of 
customer  information  have  been  accessed  or  misused;  notifying  its  primary  federal  regulator 
when  the  institution  becomes  aware  of  an  incident  involving  unauthorized  access  to  or  use  of 
sensitive  customer  information;  consistent  with  the  Agency’s  Suspicious  Activity  Report  (“SAR”) 
regulations,  notifying  appropriate  law  enforcement  authorities;  taking  appropriate  steps  to  contain 
and  control  the  incident  to  prevent  further  unauthorized  access  to  or  use  of  customer  information 
(e.g.,  by  monitoring,  freezing,  or  closing  affected  accounts  and  preserving  records  and  other 
evidence);  and  notifying  customers  when  warranted. 

The  security  guidelines  note  that  financial  institutions  have  an  affirmative  duty  to  protect  their 
customers’  information  against  unauthorized  access  or  use,  and  that  customer  notification  of  a 
security  breach  involving  the  customer’s’s  information  is  a  key  part  of  that  duty.  The  guidelines 
prohibit  institutions  from  forgoing  or  delaying  customer  notification  because  of  embarrassment  or 
inconvenience. 

The  guidelines  provide  that  when  a  financial  institution  becomes  aware  of  an  incident  of 
unauthorized  access  to  sensitive  customer  information,  the  institution  should  conduct  a  reasonable 
investigation  to  promptly  determine  the  likelihood  that  the  information  has  been  or  will  be 
misused.  If  the  institution  determines  that  misuse  has  occurred  or  is  reasonably  possible,  it  should 
notify  the  affected  customer  as  soon  as  possible.  Customer  notice  may  be  delayed  if  an 


Interagency  Guidance  on  Response  Programs  for  Unauthorized  Access  to  Customer  Information  and  Customer 
Notice,  Part  III  of  Supplement  A  to  Appendix,  at  12  C.F.R.  Part  30  (OCC),  Supplement  A  to  Appendix  D-2,  at  12 
C.F.R.  Part  208  (Federal  Reserve  System),  12  C.F.R.  Part  364  (FDIC),  and  12  C.F.R.  Part  568  (Office  of  Thrift 
Supervision),  70  Fed.  Reg.  15736  -  15754  (March  29,  2005). 

“Sensitive  customer  information  means  a  customer’s  name,  address,  or  telephone  number,  in  conjunction  with  the 
customer’s  social  security  number,  driver’s  license  number,  account  number,  credit  or  debit  card  number,  or  a  personal 
identification  number  or  password  that  would  permit  access  to  the  customer’s  account.  Sensitive  customer  information 
also  includes  any  combination  of  components  of  customer  information  that  would  allow  someone  to  log  onto  or  access 
the  customer’s  account,  such  as  user  name  and  password  or  password  and  account  number.”  70  Fed.  Reg.  15736-15754 
(March  29,  2005). 
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appropriate  law  enforcement  agency  determines  that  notification  will  interfere  with  a  criminal 
investigation  and  provides  the  institution  with  a  written  request  for  the  delay.  The  institution 
should  notify  its  customers  as  soon  as  notification  will  no  longer  interfere  with  the  investigation. 

If  a  financial  institution  can  determine  which  customers’  information  has  been  improperly 
accessed,  it  may  limit  notification  to  those  customers  whose  information  it  determines  has  been 
misused  or  is  reasonably  likely  to  be  misused.  In  situations  where  the  institution  determines  that  a 
group  of  files  has  been  accessed  improperly,  but  is  unable  to  identify  which  specific  customers’ 
information  has  been  accessed,  and  the  institution  determines  that  misuse  of  the  information  is 
reasonably  possible,  it  should  notify  all  customers  in  the  group.  The  guidelines  also  address  what 
information  should  be  included  in  the  notice  sent  to  the  financial  institution’s  customers. 

Federal  Trade  Commission  Act 

The  Federal  Trade  Commission  (FTC),  an  independent  agency  of  the  U.S.  government,  was 
established  by  the  Federal  Trade  Commission  Act  of  1914  (FTCA).^’  Its  principal  mission  is  the 
promotion  of  consumer  protection  and  the  elimination  and  prevention  of  anticompetitive  business 
practices.  The  Commission’s  jurisdiction  extends  to  a  variety  of  entities  and  individuals  operating 
in  commerce.  The  FTC  has  taken  a  multi-faceted  approach  to  protecting  the  privacy  and  security 
of  consumers’  personal  information.  Its  enforcement  tools  include  laws  and  regulations  such  as 
the  Safeguards  Rule  issued  under  the  Gramm-Leach-Bliley  Act,  which  requires  financial 
institutions  to  take  reasonable  measures  to  protect  customer  data,  and  the  Disposal  Rule  under  the 
FACT  Act  which  requires  companies  to  dispose  of  credit  report  data  in  accord  with  a  set  of 
practices  designed  to  prevent  others  from  using  that  data  without  authorization.^* 

Section  5  of  the  FTC  Act  prohibits  “unfair  or  deceptive  acts  or  practices  in  or  affecting 
commerce.”^^  Unfair  practices  are  practices  that  cause  or  are  likely  to  cause  consumers 
substantial  injury  that  is  neither  reasonably  avoidable  by  consumers  not  offset  any  countervailing 
benefit  to  consumers  or  competition. A  representation,  omission,  or  practice  is  deceptive  if  (1) 
it  is  likely  to  mislead  consumers  acting  reasonably  under  the  circumstances;  and  (2)  it  is 
material — likely  to  affect  consumers’  conduct  or  decisions  with  respect  to  the  product  at  issue. 

The  Commission  has  used  Section  5  to  challenge  deceptive  claims  companies  have  made  about 
the  privacy  and  security  of  their  customers’  personal  information.  In  deceptive  security  claims 
cases  the  FTC  alleged  that  the  companies  had  made  promises  to  take  reasonable  steps  to  protect 
sensitive  consumer  information,  and  that  they  did  not  implement  reasonable  and  appropriate 
measures  to  protect  the  sensitive  personal  information  obtained  from  customers  against 
unauthorized  access. In  unfair  practices  cases,  the  FTC  has  alleged  that  a  company’s  failure  to 
employ  reasonable  and  appropriate  security  measures  to  protect  consumers’  personal  information 


15  U.S.C.  §§  41-58. 

**  See  CRS  Report  RL32535,  Implementation  of  the  Fair  and  Accurate  Credit  Transactions  (FACT)  Act  of 2003,  by 
Angie  A.  Welbom  and  Grace  Chu. 

15  U.S.C.  §§  45(a). 

15  U.S.C.  §  45(n). 

Cliffdale  Associates  Inc.,  103  F.T.C.  110(1984). 

For  information  on  enforcement  actions  involving  the  privacy  of  consumer  information  under  Section  5  of  the  FTC 
Act,  see  http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html. 
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caused  or  was  likely  to  cause  substantial  injury  to  consumers  that  was  not  offset  by  countervailing 
benefits  to  consumers  or  competition  and  was  not  reasonably  avoidable  by  consumers. 

In  cases  where  the  FTC  did  not  have  authority  to  assess  civil  money  penalties,  the  FTC  entered 
into  consent  orders  requiring  the  defendants  to  implement  information  security  programs  (e.g., 
B.J.’s  Wholesale  Club,  DSW,  Inc.,  and  Card  Systems).  In  a  recent  case  where  violations  of  the 
Federal  Trade  Commission  Act  and  the  Fair  Credit  Reporting  Act  were  alleged,  the  largest  civil 
money  penalty  ever  by  the  FTC  ($10  million)  was  assessed. 

Fair  Credit  Reporting  Act,  as  amended  by  the  Fair  and  Accurate  Transactions 
Act 

The  Fair  Credit  Reporting  Act  of  1970  (FCRA)  regulates  credit  bureaus,  entities  or  individuals 
who  uses  credit  reports,  and  businesses  that  furnish  information  to  credit  bureaus. “[A]  major 
purpose  of  the  Act  is  the  privacy  of  a  consumer’s  credit-related  data.”’°"^  Consumer  reporting 
agencies,  also  known  as  credit  bureaus,  have  particular  responsibilities  with  respect  to  ensuring 
that  a  consumer’s  information  is  used  only  for  purposes  that  are  permissible  under  the  act,^°^  for 
ensuring  that  “reasonable  procedures”  are  employed  (including  making  reasonable  efforts  to 
verify  the  identity  of  each  new  prospective  user  of  consumer  report  information  and  the  uses 
certified  by  each  prospective  user  prior  to  furnishing  such  user  a  consumer  report)  to  ensure  that 
consumer  reports  are  supplied  only  to  those  with  a  permissible  purpose, and  for  correcting 
information  in  a  consumer’s  report  that  may  be  incorrect  or  the  result  of  fraud.  Permissible 
purposes  include  decisions  involving  credit,  insurance,  or  employment. A  consumer  reporting 
agency  is  also  permitted  to  provide  reports  to  persons  having  “a  legitimate  business  need”  for  the 
information  in  connection  with  a  consumer-oriented  transaction.  The  Act  and  its  requirements 
only  apply  to  entities  that  fall  within  the  definition  of  a  “consumer  reporting  agency,” and  only 
to  products  that  fall  within  the  definition  of  a  “consumer  report.” 

The  Fair  and  Accurate  Transactions  Act  (“FACT  Act”)  amended  FCRA,  adding  requirements 
designed  to  prevent  identity  theft  and  assist  identity  theft  victims.  The  FACT  Act  also  included  a 


15  U.S.C.  §§  1681  -  1681x,  as  amended. 

Trans  Union  Corp.  v.  FTC,  81  F.3d  228,  234  (D.C.  Cir.  1996). 

15  U.S.C.  §  1681e(a). 

15  U.S.C.  §  1681e. 

For  a  detailed  discussion  of  the  Fair  Credit  Reporting  Act,  see  CRS  Report  RL3 1666,  Fair  Credit  Reporting  Act: 
Rights  and  Responsibilities,  by  Margaret  Mikyung  Lee. 

15  U.S.C.  §  1681b. 

The  FCRA  defines  “consumer  reporting  agency”  as  “any  person  which,  for  monetary  fees,  dues,  or  on  a  cooperative 
nonprofit  basis,  regularly  engages  in  whole  or  in  part  in  the  practice  of  assembling  or  evaluating  consumer  credit 
information  or  other  information  on  consumers  for  the  purpose  of  furnishing  consumer  reports  to  third  parties,  and 
which  uses  any  means  or  facility  of  interstate  commerce  for  the  purpose  of  preparing  or  furnishing  consumer  reports.” 
15  U.S.C.  §  1681a(f). 

A  “consumer  report”  is  “any  written,  oral,  or  other  communication  of  any  information  by  a  consumer  reporting 
agency  bearing  on  a  consumer’s  credit  worthiness,  credit  standing,  credit  capacity,  character,  general  reputation, 
personal  characteristics,  or  mode  of  living  which  is  used  or  expected  to  be  used  or  collected  in  whole  or  in  part  for  the 
purpose  of  serving  as  a  factor  in  establishing  the  consumer’ s  eligibility  for  credit  or  insurance  to  be  used  primarily  for 
personal,  family,  or  household  purposes;  employment  purposes;  or  any  other  purpose  authorized  under  section  604  [of 
the  FCRA].”  15  U.S.C.  §  1681a(d). 
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provision  requiring  financial  regulatory'^'  agencies  and  the  FTC  to  promulgate  a  coordinated  rule 
designed  to  prevent  unauthorized  access  to  consumer  report  information  hy  requiring  reasonable 
procedures  for  the  proper  disposal  of  such  information. 

The  Federal  Trade  Commission  enforces  the  FCRA.  A  violation  under  the  FCRA  is  deemed  to  he 
an  unfair  or  deceptive  act  or  practice  in  violation  of  section  5(a)  of  the  FTC  Act.  There  are  various 
penalties  for  violating  the  FCRA,  the  applicability  of  a  particular  provision  depends  on  such 
factors  as  who  brings  the  action  and  the  degree  of  the  violator’s  noncompliance.  For  example,  the 
Act  imposes  liability  for  both  willful  noncompliance  and  negligent  noncompliance. The 
monetary  penalties  include  actual  damages  sustained  by  a  consumer,  plus  costs  and  attorneys 
fees.  In  the  case  of  willful  violations,  the  court  may  also  award  punitive  damages  to  a  consumer. 
Any  person  who  procures  a  consumer  report  under  false  pretenses,  or  knowingly  without  a 
permissible  purpose,  is  liable  for  $1000  or  actual  damages  (whichever  is  greater)  to  both  the 
consumer  and  to  the  consumer  reporting  agency."^  Also,  the  Act  governs  enforcement  actions 
brought  by  the  Commission,  other  agencies,  and  the  states,  and  provides  for  various  monetary  and 
injunctive  penalties. ""'For  those  who  knowingly  violate  the  FCRA,  the  monetary  penalties 
include  up  to  $2500  per  violation  in  a  civil  action  brought  by  the  Commission."^ 


Payment  Card  Industry  Data  Security  Standard 

The  payment  card  industry  has  also  issued  security  standards  and  reporting  requirements  for 
organizations  that  handle  bank  cards."®  The  Payment  Card  Industry  Data  Security  Standard  (PCI 
DSS)  is  an  industry  regulation  developed  by  VISA,  MasterCard,  and  other  bank  card  distributors. 
It  requires  organizations  that  handle  hank  cards  to  conform  to  security  standards  and  follow 
certain  leveled  requirements  for  testing  and  reporting.  The  core  of  the  PCI  DSS  is  a  group  of 
principles  and  accompanying  requirements  designed  to  build  and  maintain  a  secure  network, 
protect  cardholder  data,  maintain  a  vulnerability  management  program,  implement  strong  access 
control  measures,  monitor  and  test  networks,  and  maintain  an  information  security  policy.  PCI 
DSS  went  into  effect  December  31,  2006.  On  October  1,  2008,  the  PCI  Security  Standards 
Council  (PCI  SSC)  announced  general  availability  of  version  1.2  of  the  PCI  DSS  that  does  not 
introduce  any  new  major  requirements  to  the  existing  standard,  but  does  change  some  practices. 
Entities  that  fail  to  comply  with  PCI  DSS  face  fines  and  increases  in  the  rates  that  the  credit  card 
companies  charge  for  transactions,  and  potentially  can  have  their  authorization  to  process 
payment  cards  revoked.  Legislation  has  been  passed  in  the  Texas  House  mandating  compliance 
with  the  PCI  DSS  standard."’ 


P.L.  108-159,  117  Slat.  1952. 

“M5U.S.C.  §  1681n(a). 

“M5  U.S.C.  §  1681n(b). 

“M5U.S.C.  §  1681s. 

“M5U.S.C.  §  1681s(2)(A). 

Available  at  https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml. 

See,  2007  Tex.  H.  B.  No.  3222  which  mandates  PCI  DSS  compliance,  and  provides  a  safe  harbor  under  the  statute  if 
the  business  that  suffered  the  data  breach  was  in  compliance  with  PCI  DSS  90  days  before  the  date  of  the  security 
breach. 
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